Background information
- Date of final decision: 15 March 2022
- Cross-border case or national case: National
- Controller: The name of the business has been withheld from the public to protect the identities of its employees.
- Legal Reference: Lawfulness of processing (Art. 6), Right to object (Art. 21), Information (Art. 13)
- Decision: Infringement of the GDPR and fine imposed, Order to comply
- Key words: Access control, Employment
Summary of the Decision
Origin of the case
The Norwegian Supervisory Authority became involved in this case after receiving both a non-compliance notification from an employer and a complaint from an employee of the business. The background for the case is that the complainant had left the employer and was supposed to assist the employer with certain tasks after their period of notice had ended. Due to a disagreement, the employee’s access to e-mail and computer systems was terminated. All e-mails sent to the employee’s e-mail address were automatically forwarded to an e-mail address managed by the managing director, a situation that lasted for approximately six weeks.
The e-mails were forwarded for the purpose of managing customer relationships. However, during the period concerned, the managing director handled both job-related and personal e-mails sent to the employee’s e-mail address.
Key Findings
The Norwegian SA have concluded that, pursuant to the General Data Protection Regulation, the employer had no legal basis for the automatic forwarding of e-mails, and that the forwarding was in violation of regulations concerning the right of employers to access e-mail inboxes and other electronic material. The business also acted in violation of the rules concerning notification of the data subject and the obligation to consider the employee’s objections, in addition to having a lack of appropriate procedures for access to e-mails and other electronic material.
Decision
The Norwegian Supervisory Authority has decided to fine the business EUR 10.000 (NOK 100,000) for violating the Norwegian Working Environment Act's provisions concerning e-mail access and the requirements of the General Data Protection Regulation concerning legal basis and disclosure. The business is also ordered to update its procedures.
For further information:
- Fined for automatic forwarding of e-mail (EN), Datatilsynet, Norwegian SA
- Gebyr for automatisk videresending av e-post (NO), Datatilsynet, Norwegian SA
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.